W3C Web Payments and the Banking Industry

Hi WPIG, (bcc: WPWG - just as a heads-up)

This is a super-delayed status report from a presentation I did in late
May to the US Federal Reserve's Secure Payments Task Force. It includes
food for thought around the future direction of the Web Payments and
Verifiable Claims work at W3C.

My presentation ran from around 75 minutes to 80-100 security-related
management-level folks (CISOs / VPs, mostly) on W3C's Web Payments,
Verifiable Claims, and CG work in Blockchains and "identity". You can
get an idea of the participant organizations here:

https://fedpaymentsimprovement.org/payments-security/about-the-task-force/roster/

The goal of this presentation was to get more engagement from the
banking industry in all three work streams culminating in new W3C
members and increased participation. The presentation that I gave can be
found here:

https://docs.google.com/presentation/d/10l7SKWDPuQmvzuY3Ivsv2K345Kok3FMu6kt2gGalq4g/edit

Here are the takeaways:

* The value proposition of Web Payments to banks is not clear enough
  for employees to take it to their boards.
* The value proposition of Verifiable Claims is clear, but there is a
  question around liability that has remained unanswered for 10+ years.
* The value proposition of Anti-Fraud Blockchains is clear, but
  understanding on it is limited and it's "10 years away".
* It is unlikely that the US banks will engage more deeply until we put
  more work into a solid value proposition and executive summary for
  them (or talk them through it).

Here are the opportunities:

* Several bank executives said that they're willing to work with us on
  the value proposition for Web Payments and Verifiable Claims.
* Two US banks were identified as the banks that may be the best
  to reach out to after we have our banking value prop nailed down.
  Two other EU banks also came up as ones that may be willing to engage.
  I have identified these banks to W3C Management.
* The US Fed seems willing to move on something related to Anti-Fraud
  Blockchains and open standards, but in 2018 or beyond.
* There is a tremendous amount of buy in to the US Fed's Faster and
  Secure Payments framework, principles, and use cases. That should
  inform W3C's technology road map in Web Payments, Verifiable Claims,
  and Blockchain.

Here are the action items:

* Reach out to the two Tier II banks to see if they want
  to engage on Web Payments or Verifiable Claims AFTER we've ironed out
  the value proposition with more risk averse big banks.
* Engage with BITS to see what it would take to get their public
  support for the W3C Web Payments and Verifiable Claims work.
* Work with US Fed in 2018 to create a business/joint group between
  Secure Payments Task Force and W3C.
* Align the ISO Blockchain initiatives and "identity" initiatives with
  the W3C initiatives.
* Increase focus on anti-fraud use cases and security as they seem to be
  what the US banks are most concerned about right now (granted, this
  was a security focused gathering).

---------------------------------

The rest of this is LONG, apologies, but I wanted to provide more raw
data so that others could come to conclusions of their own.

I quick polled the room as I went through the presentation. Around 60%
of the room knew about the W3C. Around 50% of the room knew about the
Web Payments work, but only around 40% of them felt that it affected
them. Around 20% knew about the Verifiable Claims work and around the
same amount felt that it would affect them. Less than 5% knew that W3C
CGs were doing anything in the Blockchain space.

I'm told that the presentation was very well received. There were a
constant stream of clarifying, non-aggressive questions throughout the
presentation that demonstrated a basic understanding of what was being
presented and acceptance of W3C's leadership in this space. The US Fed
folks said that hallway discussion also indicated that the people in the
room appreciated the debrief.

I remain slightly sceptical as even though the above is true, my hallway
conversations with several individuals demonstrated that they barely
grasped how the work being done at W3C applied to their bank. Some of
them viewed the Web Payments work as "a pretty screen to help people
checkout" rather than something that applied more deeply to their business.

Keep in mind that my sample size is around 15-20 individuals over two
days, so the following isn't the whole picture, but should be used with
other information that we have to inform future engagement in the
banking sector.

"Why do you think we don't have more engagement from the banking
industry?" was a question I asked most everyone, and here are the sorts
of responses I received:

Top 10 bank exec: "We know about what W3C is doing in this (Web
Payments) space and we don't think W3C knows that they're playing with
fire. We see the browser manufacturers at the table wilfully trying
to dis-intermediate us. We're not going to help them do that. We do want
to participate, but on our terms, the tables are not tilted in our favour."

When I underscored that we support 3rd party payment handlers and banks
could have their own digital wallets, he responded that while that's the
future they want, bank-based digital wallet (native apps) have largely
failed and so there is very little appetite at the board level to pursue
that again right now. This person said that they've personally started
$1.2B in projects at their bank over the past 25 years, so money isn't
the issue... it's the value prop to the bank and the danger of being
disintermediated.

Top 10 bank exec: "The Verifiable Claims work is interesting, but who
holds the liability? If I use a credential that someone else issued to
do my onboarding process, and the credential is fraudulent, who is
fined? If it's me, then that's no different than today, so what's the
value prop? That people can defraud me faster than they do today? The
second the regulators come out with a Verifiable Claim that I can use
that absolves me of liability when using that credential, I will be
there in a heartbeat with a pile of money."

The upside to this conversation is that he wants a follow up call to
discuss the value proposition to the bank, so I'll be following up with
him. He was more interested in the Verifiable Claims work than the Web
Payments work, most likely because he deals w/ bank security more than
customer products. I offered to put him in touch w/ W3C, but he declined
until we talk in more detail about it.

Top 25 bank exec: "You haven't made the Web Payments value proposition
clear. How does this save me money? How do banks make money on this
stuff? I need that when I go to my board for approval. What product am I
going to build with this technology and why are my customers going to
use it? My vendors are going to bring this to me when it becomes
important, until then, I don't have a strong incentive to move on it.
I'm just going to wait for some other bank to pick it up and run with it."

Top 25 bank exec: "You're working at a layer that's far below what banks
work at... our vendors care about this stuff, we don't. If this stuff is
important, they'll build it into the products that they sell us."

Top 100 bank exec: "Banks make very little money on customer experience
these days. Most of the big banks make money on trading/investing, so
they don't really care about the customer experience as long as it's
not that much more terrible than their competitors."

Ex top-10 exec: "You need to focus on banks that are more aggressive
with this stuff like [very specific Tier II banks redacted]. They're the
leaders in this area. The big banks aren't going to do anything until
those two do something. The smaller banks don't have the bandwidth to
participate. These aren't technology companies, their vendors are, and
even they wait for things to shake out in other industries before
jumping on board. This industry is really good at locking innovation out
if they don't want it... innovation leads to horribly expensive upgrades
in our industry."

20+year industry veteran (retired): "These folks don't have to work very
hard to make money. The stuff you're asking them to do seems like a
heavy lift to them. It's also a culture thing. Many of these folks are
2nd or 3rd generation bankers. The solution isn't coming from their
community and they're used to being able to lock that sort of stuff out
of their systems. Even worse, you've allied yourself with people that
have consistently tried to disintermediate them over the past 20+ years.
You need to get a few credible folks in our community saying that what
you're doing is beneficial and the others will follow."

Small bank CEO: "You may want to talk to the [redacted state] DMV about
Verifiable Claims - they are leading the US in digital identity
initiatives. I wish you weren't supporting card number in the clear
payments. That's exactly what's wrong with the industry today and you're
just reinforcing that absolutely broken security model. I'm also
dismayed that you're talking with [redacted tokenization group].
[redacted] is useless, they're not going to help you on security.
[redacted] are out for themselves, don't trust them. I get that you need
to do that politically, but you're not winning any points with me by
working with them." (note that this CEO was one of the most opinionated
and aggressive in the room, but was also one of the most well
respected). I've passed the redacted names on to the Chairs and W3C
Management.

Small vendor: "Take the Financial Services Technology Council logo off
of your slides, that's hurting your credibility. They were bought by
BITS during the 2008 recession. Have you talked to BITS? Get them to
agree that what you're doing is a good thing, that'll get you into the
board room, most everyone in here will adopt if BITS says that this is
the future."

Medium vendor and payment network operator: "We'd love to bring our
tokenization technology, patents and all, to W3C and provide it as the
basis for your tokenization work." I'm following up with them as they
also didn't want to talk with W3C until they understood the process and
what was involved. I'll be pushing them to participate.

David Ezell's name came up numerous times when talking w/ the X9, ISO,
and TG1 folks. They mentioned that they've talked with him on a number
of occasions about this stuff and said his engagement on all of this was
very helpful and appreciated.

There was also a general sense of frustration in the group as they've
been engaged with the US Fed's Faster Payments and Secure Payments work
now for 3+ years and they're still working on framework, principles, and
use cases. The banks want solutions and US Fed has no real mandate to
provide the solutions (a new faster and more secure payments network)
that the banks want.

The banks want to know who is going to pay for faster or more secure,
especially if there is no new regulation mandating it. So, most everyone
is stuck in a wait and see cycle. The US Fed is waiting for industry to
step up and take the lead now that they've spelled out the desired
outcome that the banks want. The banks are waiting for the US Fed to
hint at the right way forward or to stand up a new faster and more
secure payments network.

There is a tremendous amount of buy in to the US Fed's Secure Payments
framework, principles, and use cases. That should help inform W3C's
technology road map in Web Payments, Verifiable Claims, and Blockchain.

That's more or less all I can remember for now.

-----------------

I passed this on to W3M in early June. My contact w/ the banks since
then shows no real change wrt. the above.

Hopefully this information can help us guide the next steps of the work
we'll do via the WCIG.

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: Rebalancing How the Web is Built
http://manu.sporny.org/2016/rebalancing/

Received on Thursday, 31 August 2017 16:00:06 UTC